Agnech
Engine 6 of 7

Graph Analysis Engine

Build and query comprehensive code relationship graphs. Discover hidden connections between components that create security vulnerabilities.

Overview

The Graph Analysis Engine constructs multiple interconnected graphs representing your codebase's structure. These graphs enable powerful queries that find complex vulnerability patterns spanning multiple files and components.

Graph-Based Security Analysis

Find all paths from user input to database queries
Identify functions reachable from public APIs
Detect circular dependencies that may cause issues
Map the blast radius of vulnerable code

Graph Types

Call Graph

Maps function calls across the codebase

Dead code detectionAttack surface mappingImpact analysis

Data Flow Graph

Tracks how data moves between variables and functions

Taint analysisInformation flowData leakage

Control Flow Graph

Models execution paths within functions

Branch coverageComplexity analysisPath enumeration

Dependency Graph

Shows relationships between modules and packages

Impact analysisCircular dependency detectionBuild optimization

Query Language

Bloodhound provides a powerful query language for exploring code graphs. Find complex patterns that would be impossible to detect with simple searches.

Cypher
1// Find all paths from HTTP handlers to SQL queries
2MATCH path = (handler:Function)-[:CALLS*]->(query:Function)
3WHERE handler.annotation = "HttpHandler"
4  AND query.name MATCHES ".*query.*|.*execute.*"
5  AND NOT EXISTS {
6    (n)-[:CALLS]->(sanitizer:Function)
7    WHERE sanitizer.annotation = "Sanitizer"
8    AND n IN nodes(path)
9  }
10RETURN path
11

12// Result:
13// ┌────────────────────────────────────────────────────────────┐
14// │ Path 1: handleUser() → getUser() → db.query()             │
15// │ Path 2: handleSearch() → searchProducts() → db.execute()  │
16// │ Path 3: handleAdmin() → deleteUser() → db.query()         │
17// └────────────────────────────────────────────────────────────┘
18

19// Find functions with high vulnerability exposure
20MATCH (f:Function)<-[:CALLS]-(caller:Function)
21WHERE f.hasVulnerability = true
22WITH f, count(caller) as exposure
23ORDER BY exposure DESC
24LIMIT 10
25RETURN f.name, f.vulnerability, exposure
26

27// Find circular dependencies
28MATCH cycle = (m:Module)-[:IMPORTS*]->(m)
29RETURN nodes(cycle) as circular_dependency

Vulnerability Patterns

Pre-built graph patterns for common vulnerability types.

Privilege Escalation Path

Critical

Finds paths where low-privilege code can reach high-privilege operations.

Cypher
1MATCH path = (public:Function {access: "public"})
2              -[:CALLS*]->(admin:Function {access: "admin"})
3WHERE NOT EXISTS {
4  (auth:Function {type: "authCheck"})
5  WHERE auth IN nodes(path)
6}
7RETURN path

Data Exfiltration Risk

High

Identifies paths where sensitive data flows to external outputs.

Cypher
1MATCH path = (sensitive:Data {classification: "PII"})
2              -[:FLOWS_TO*]->(output:Function {type: "external"})
3WHERE output.name IN ["log", "send", "write", "console"]
4RETURN path, sensitive.name, output.name

Attack Surface Mapping

Info

Maps all code reachable from public endpoints.

Cypher
1MATCH (endpoint:Function {exposed: true})
2      -[:CALLS*0..10]->(reachable:Function)
3RETURN endpoint.route,
4       collect(DISTINCT reachable.name) as attack_surface,
5       count(reachable) as surface_size
6ORDER BY surface_size DESC

Visualization

The VS Code extension provides interactive graph visualization for exploring code relationships.

Interactive graph visualization

Click nodes to explore • Drag to rearrange • Zoom to navigate

Graph Export

Export graphs to DOT, JSON, or GraphML formats for use in external visualization tools like Gephi or Neo4j Browser.

API Access

Access graph data programmatically for custom analysis and integrations.

TypeScript
1// Using the Bloodhound Graph API
2import { BloodhoundGraph } from '@agnech/bloodhound';
3

4const graph = await BloodhoundGraph.analyze('./src');
5

6// Query the call graph
7const sqlPaths = await graph.query(`
8  MATCH path = (entry:Function {type: "handler"})
9              -[:CALLS*]->(db:Function {type: "database"})
10  RETURN path
11`);
12

13// Get metrics
14const metrics = await graph.metrics();
15console.log(metrics);
16// {
17//   nodes: 2847,
18//   edges: 8423,
19//   avgDegree: 2.96,
20//   clusters: 12,
21//   cyclomaticComplexity: 847
22// }
23

24// Find affected code for a vulnerability
25const affected = await graph.impactAnalysis('src/utils/parse.ts', 'parseInput');
26console.log(`${affected.length} functions may be affected`);

Next Engine

Graph analysis results feed into the AI Engine for intelligent false positive detection and prioritization.